December 30, 2005

Netcraft - 450 phishing cases using SSL / HTTPS certs

In its first year, the Netcraft Toolbar Community has identified more than 450 confirmed phishing URLs using "https" urls to present a secure connection using the Secure Sockets Layer (SSL). The number of phishing attacks using SSL is significant for several reasons. Anti-phishing education initiatives have often urged Internet users to look for the SSL "golden lock" as an indicator of a site's legitimacy. Although phishers have been using SSL in attacks for more than a year, the trend seems to have drawn relatively little notice from users and the technology press.

Case in point: The use of SSL certificates in phishing scams made headlines in September when a security vendor issued a press release warning of a scam in which a spoofed phishing site used a self-signed certificate, presenting a gold lock icon but also triggering a browser warning that the certificate was not recognized. In this case, the phishers were banking on the likelihood that many users will trust the padlock and ignore the certificate warning. Despite the attention, the attack wasn't particularly new or novel.

The Netcraft Toolbar community has identified many similar phishing attacks in which spoof sites use a certificate that can be expected to trigger a browser warning, in hopes that some victims will view the "Do you want to proceed?" pop-up and simply click "Yes." Numerous scams have used a hosting company's generic shared server SSL certificate with a spoof site housed on a "sound-alike" URL lacking its own certificate.

The beauty of the golden lock icon has been that it simplified complex security concepts into a single symbol that non-technical users could understand and trust. Phishing scams designed to prompt security warnings raise the stakes, requiring users to understand what the browser warning is telling them, and how they should respond. Upcoming SSL-related interface changes in Internet Explorer 7 and other browers updates make a good start toward providing users with clearer information. But as we noted earlier this year, many banks are shifting their online banking logins to the unencrypted home pages of their websites, further muddling the issue of training customers to trust only SSL-enabled sites. The non-SSL presentation of these bank logins is already being incorporated into spoof pages.

Interesting point - this came from their Toolbar community - a design I've frequently criticised! I'm still in search of the Perfect Phish by the end of the year, so as to meet my quota in predictions.